Driver Signing and File System Verification

In an article last month, I wrote about Windows File Protection, a Windows 2000 (Win2K) feature that protects your crucial system files by preventing other applications from overwriting them. By default, Windows File Protection lets other applications replace system files only when you use Windows Update, perform OS upgrades using winnt32.exe, install service packs with Windows Update, and install hotfixes.

Microsoft has digitally signed Win2K system files to ensure that the OS will run smoothly. A digital signature is Microsoft’s assurance that no other software installations have altered the files and that Microsoft has tested the files and approved them for use with Win2K. If someone accidentally or intentionally replaces a system file or a device driver, Windows File Protection automatically replaces the offending file or driver with Microsoft’s digitally signed file. This week, I discuss the driver signing concept and the File System Verification utility.

Driver Signing If you're worried that you no longer have control over your Win2K computer and that Microsoft is dictating the behavior of your OS, don’t worry you can configure the file signature verification behavior to your liking with driver signing. Here's how: Go to Start, Settings, Control Panel, System, and click the Hardware tab. Under Device Manager, click the Driver Signing button to configure the file signature verification options, as Screen 1 shows. You can choose to ignore file verification so that all device drivers install regardless of whether Microsoft has digitally signed them. You can also choose the default behavior to receive a warning before the system installs a device driver that Microsoft has not digitally signed—an option that lets you accept or reject certain drivers. Finally, you can simply block installations of device drivers that Microsoft hasn't digitally signed. The Administrator option that Screen 1 shows lets you apply any file signature verification setting as the system default for all users who log on to a computer.

File Signature Verification With the File Signature Verification utility, you can identify files that Microsoft hasn't digitally signed. You can look at a file’s name, location, modification date, file type, and version number. To start the file signature verification process, go to Start, Run, and type sigverif. Before you start the utility, you can configure advanced options by clicking the Advanced button and selecting options on the Search and Logging tabs, as Screen 2 and Screen 3 show. With the default search option, the system warns you about system files that Microsoft hasn't signed. You can select another option to search your system for other files that Microsoft hasn't digitally signed. The Logging tab lets you save the results of file signature verification to a log file (sigverif.txt). You can either append these results to an existing log file or overwrite it. In Screen 3, the View Log button on the Logging tab isn't available because I captured the screen shot before I started the verification process. After I completed the verification process, the View Log option let me read the log file.

Once you have configured the advanced options, click Start to begin the signature file verification process. The process can take some time, depending on the number of files on your system. Screen 4 shows the signature verification results for my computer. As you can see, Microsoft didn't digitally sign 14 of the 679 files on my system. Most of these files are drivers associated with my printer. The end of the sigverif.txt log file lists the 16 unscanned files. The modification dates and version numbers can come in handy when you're troubleshooting a problem. Screen 5 shows a sample sigverif.txt log file. The system creates this file in the %systemroot% folder (by default, \Winnt).